Published Photos of COVID Patients Lead to $80,000 HIPAA Settlement | Practical Law

Published Photos of COVID Patients Lead to $80,000 HIPAA Settlement | Practical Law

The Department of Health and Human Services (HHS) has announced an $80,000 settlement of potential Privacy Rule violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involving a New York-based, nonprofit academic medical center (and HIPAA covered entity (CE)). The enforcement action arose after a national news organization published an article about the medical center's COVID-19 response efforts that included photographs and information about patients being treated for COVID-19 at the medical center.

Published Photos of COVID Patients Lead to $80, 000 HIPAA Settlement

Practical Law Legal Update w-041-4511 (Approx. 6 pages)

Published Photos of COVID Patients Lead to $80,000 HIPAA Settlement

by Practical Law Employee Benefits & Executive Compensation
Published on 21 Nov 2023USA (National/Federal)
The Department of Health and Human Services (HHS) has announced an $80,000 settlement of potential Privacy Rule violations under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) involving a New York-based, nonprofit academic medical center (and HIPAA covered entity (CE)). The enforcement action arose after a national news organization published an article about the medical center's COVID-19 response efforts that included photographs and information about patients being treated for COVID-19 at the medical center.
On November 20, 2023, HHS issued a settlement agreement with a New York-based, nonprofit academic medical center (and HIPAA covered entity (CE)) for potential violations of HIPAA's Privacy Rule (see HIPAA Privacy, Security, and Breach Notification Toolkit and Practice Note, HIPAA Privacy Rule) (Resolution Agreement (Nov. 20, 2023); see related press release). Under the agreement, the medical center must:
  • Pay $80,000 to resolve the action.
  • Comply with a two-year corrective action plan (CAP).
HHS began reviewing the medical center's HIPAA compliance after a national news organization published an article about the medical center's COVID-19 response efforts. The article included photographs and information about three patients who were being treated for COVID-19 at the facility. HHS's investigation indicated that the medical center disclosed patients' protected health information (PHI) to a reporter without the patients' authorizations in April 2020 (toward the start of the pandemic). According to HHS, the images at issue, which were distributed nationally, exposed PHI consisting of patients':
  • COVID-19 diagnoses.
  • Current medical statuses/prognoses, vital signs, and treatment plans.
For information on the COVID-19 national emergency and public health emergency, see:

Corrective Action Plan Addresses Policies, Procedures, Training, and More

In addition to the $80,000 payment, the medical center must comply with a CAP that imposes obligations involving HIPAA policies and procedures and training.

HIPAA Policies and Procedures

Regarding policies and procedures, the medical center must develop, maintain, and revise its written HIPAA policies and procedures to:
  • Specifically prohibit the use or disclosure of patients' PHI by the medical center's workforce members, agents, and HIPAA business associates (BAs) to persons and entities engaged in photography, video recording, and audio recording without authorizations from the patients or their authorized representatives (see Standard Document, HIPAA Business Associate Agreement).
  • Include a process for evaluating and approving requests concerning the use or disclosure of PHI before allowing third parties to access patient PHI, treatment areas, or other facility areas where PHI is accessible in written, electronic, or oral form (or other audio or visual forms).
  • Adopt an internal process that requires workforce members to promptly report violations of the medical center's HIPAA policies and procedures to the designated Privacy Officer and requires the medical center to promptly investigate and address reports of violations (see Practice Note, HIPAA Privacy Rule: Privacy and Security Officer).
  • Identify medical center personnel or representatives that workforce members, agents, or BAs may contact with questions about HIPAA compliance.
  • Require medical center personnel to actively monitor all photography, video recording, and audio recording conducted on medical center facilities by third parties, including for purposes unrelated to medical treatment.
  • Implement policies for the medical center to promptly investigate and address any reported violations.
  • Impose appropriate sanctions for workforce members who fail to comply with the medical center's policies and procedures.
  • Include policies and procedures that comply with HIPAA's breach notification rule (see Practice Note, HIPAA Breach Notification Rules).
The medical center must submit the revised policies to HHS for approval. After the policies are approved, the medical center must:
  • Finalize and adopt the policies and procedures, and timely distribute them to workforce members.
  • Obtain from each workforce member a written or electronic certification stating that the workforce member has read, understands, and will comply with the policies and procedures. The medical center may not allow a workforce member who has not provided this certification to access PHI.
  • Assess and, if necessary, revise the policies and procedures each year.
If the medical center's policies and procedures are revised going forward, the center must re-submit them to HHS for approval and obtain new compliance certifications from workforce members.

Reportable Events

The medical center also must report workforce members' violations, if any, of the approved policies and procedures (called reportable events) to HHS. The reports must include:
  • A full description of the event, including relevant facts, individuals involved, and any provisions of the medical center's HIPAA policies and procedures at issue.
  • A description of the actions the medical center took in response and to mitigate any harm and prevent future violations, including sanctions against workforce members.

Training

The medical center must submit its HIPAA training materials to HHS for approval. Once the training materials are approved, the medical center must:
  • Timely provide training (and annual retraining) on the medical center's policies and procedures to all workforce members (see Standard Document, HIPAA Training for Group Health Plans: Presentation Materials).
  • Obtain a written or electronic certification from workforce members indicating they received and understood the training.
  • Review and, if necessary, update the training on an annual basis.
  • Not grant access to PHI to workforce members who did not provide the written or electronic certification.

Practical Impact

Early on in the COVID-19 pandemic (but after the events at issue in this latest HIPAA settlement agreement), HHS issued guidance addressing how HIPAA's privacy requirements may limit the filming of individuals receiving COVID-19 treatments in hospital settings. That guidance confirmed that the COVID-19 PHE did not alter the Privacy Rule's existing restrictions of individuals' PHI to the media. Under HIPAA, health providers and other CEs may not:
  • Provide the media, including film crews, access to areas of their facilities where patients' PHI is accessible in any form (including written, electronic, oral, or other visual or audio form), without first obtaining a written HIPAA authorization from each individual whose PHI would be accessible to the media.
  • Require patients to sign HIPAA authorization as a condition of receiving treatment.
For more information, see Practice Note, HIPAA Enforcement: Settlement Agreements: HIPAA Restrictions on Filming Patients During COVID-19 Pandemic and Standard Document, HIPAA Authorization to Use and Disclose PHI.